Tutorial :Is HTML::StripScripts still safe for removing modern exploits?



Question:

I need a way in Perl to strip naughty things, such as XSS, image interjection, and the works.

I found HTML::StripScripts but it hasn't updated in close to two years, and I'm not up to date with all the new exploits.

Is it safe?

What other markups languages (in Perl) would you use?


Solution:1

XSS is a vast topic and exploits come up every other day.

Just removing scripts will not make your code/site safe.

It is better to not try to strip (Blacklisting) certain things. It is safer to white list html/special characters you will allow on your site. i.e <b>, <i>

Defang seems to be the latest/greatest anti XSS lib for perl on cpan

Blacklisting vs Whitelisting

OWASP XSS Cheat Sheet

And I suggest playing with CAL9000 to get an idea of how widespread / tricky XSS is


Solution:2

HTML::StripScripts is a whitelist, and can use a tree-based parser and should be as safe as the whitelist.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »